From 6cbd56855e6f450ead9e1165eac486e9772536cb Mon Sep 17 00:00:00 2001
From: Al Francis <fr4nc1stein@gmail.com>
Date: Sun, 24 May 2026 00:59:19 -0700
Subject: [PATCH] fix: add security headers and crawler rules

---
 next.config.ts    | 33 +++++++++++++++++++++++++++++++++
 public/robots.txt | 11 +++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 public/robots.txt

diff --git a/next.config.ts b/next.config.ts
index 9853702..359db36 100644
--- a/next.config.ts
+++ b/next.config.ts
@@ -3,12 +3,45 @@ import type { NextConfig } from "next";
 // Note: Cloudflare D1 dev platform setup is in instrumentation.ts
 // (supports async/await, runs before any routes are served)
 
+const contentSecurityPolicy = [
+  "default-src 'self'",
+  "base-uri 'self'",
+  "form-action 'self'",
+  "frame-ancestors 'none'",
+  "object-src 'none'",
+  "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://clerk.vanguard.laet4x.com https://*.clerk.accounts.dev https://*.clerk.dev https://*.clerk.com https://challenges.cloudflare.com",
+  "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
+  "img-src 'self' data: blob: https://img.clerk.com https://images.clerk.dev https://*.clerk.com https://*.clerk.dev https://petition.ph",
+  "font-src 'self' data: https://fonts.gstatic.com",
+  "connect-src 'self' https://api.clerk.com https://clerk.vanguard.laet4x.com https://clerk-telemetry.com https://*.clerk-telemetry.com https://*.clerk.accounts.dev https://*.clerk.dev https://*.clerk.com wss://*.clerk.accounts.dev wss://*.clerk.dev wss://*.clerk.com https://challenges.cloudflare.com",
+  "frame-src https://challenges.cloudflare.com https://*.clerk.accounts.dev https://*.clerk.dev https://*.clerk.com",
+  "worker-src 'self' blob:",
+  "upgrade-insecure-requests",
+].join('; ');
+
 const nextConfig: NextConfig = {
   images: {
     remotePatterns: [
       { protocol: 'https', hostname: 'petition.ph' },
     ],
   },
+  async headers() {
+    return [
+      {
+        source: '/(.*)',
+        headers: [
+          { key: 'X-Frame-Options', value: 'DENY' },
+          { key: 'X-Content-Type-Options', value: 'nosniff' },
+          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+          {
+            key: 'Permissions-Policy',
+            value: 'camera=(), microphone=(), geolocation=(), payment=(), usb=()',
+          },
+          { key: 'Content-Security-Policy', value: contentSecurityPolicy },
+        ],
+      },
+    ];
+  },
   // Prevent Turbopack/webpack from bundling native CF/wrangler packages —
   // they are Node.js-only and loaded at runtime via instrumentation.ts.
   serverExternalPackages: [
diff --git a/public/robots.txt b/public/robots.txt
new file mode 100644
index 0000000..7e3cf2c
--- /dev/null
+++ b/public/robots.txt
@@ -0,0 +1,11 @@
+User-agent: *
+
+# Protected application surfaces
+Disallow: /admin
+Disallow: /triage
+Disallow: /dashboard
+Disallow: /api
+Disallow: /sign-in
+Disallow: /sign-up
+
+# Public pages such as /, /hall-of-fame, /policy, and /submit remain crawlable by default.